Encryption groups are configured the same but get the below
457126603; 9Jul2025 10:45:01.279891;[kern];[tid_1];[SIM-241580892];sim (vpn_encrypt): drop due vpn_ipsec_encrypt returns PKT_DROP(3);
457126603; 9Jul2025 10:45:01.279897;[kern];[tid_1];[SIM-241580892];handle_vpn_encryption: ipsec_encrypt failed: failed to find SA. Dropping packet;
457126605; 9Jul2025 10:45:01.279902;[kern];[tid_1];[SIM-241580892];sim_pkt_send_drop_notification: (0,1) received drop, reason: Encryption Failed, conn;
457126605; 9Jul2025 10:45:01.279907;[kern];[tid_1];[SIM-241580892];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn;
457126605; 9Jul2025 10:45:01.279911;[kern];[tid_1];[SIM-241580892];sim_pkt_send_drop_notification: sending single drop notification, conn;
457126606; 9Jul2025 10:45:01.279917;[kern];[tid_1];[SIM-241580892];do_packet_finish: SIMPKT_IN_DROP vsid=0, conn:

What do you see on Fortigate side?

Andy

The traffic is coming through on their side so they can see the ping request coming through and no errors show up 

Have it configured as IP's on the Fortigates side, One VPN tunnel per subnet pair. No Message comes up on the Fortigate side with Traffic selectors being a problem only on Checkpont side

I get a lot on MyTSi and some on Peer TSr, we did try and configure the ones missing on the Fortinet side but just added more on their side after doing so

Setting them as IP addresses on the Fortigate side means you need to use the Check Point VPN tunnel sharing mode as "One VPN tunnel per each pair of hosts". You will also need to make sure that those IP addresses are defined as hosts within your Check Point VPN domain.

I have changed it to One VPN tunnel per each pair of hosts, but also see that there was no VPN domain setup, I took over from the last guy and he wasn't motivated to continue with it so it wasn't completed when he left so now left with trying to get this working

Is it combo of hosts/subnets? If so, then choose per gateway.

Andy

I know the Fortigate side has /32s and CP side has /24 

Thats fine, then choose subnets on CP side and on Fortigate, you dont need to do universal tunnel, just do whatever hosts needed. I attached an example, you can just keep adding needed entries.

Andy

Just want to confirm that they need to config the MyTSi from CP side onto the fortigate side is that correct? 

They do, yes. It has to match 100%, otherwise, it wont work.

This is what I can get from the Fortinet side, I see the SA=1 which refers to traffic selectors being acceptable but still doesn't pass through to either side

How is tunnel managament currently configured on CP side?

Andy

Tunnel management on CP side, as to what else was set up I would have no clue. This was set up before I joined the company and it never worked and now need to get it working

If its universal tunnel, that looks right. Can you send the same for Fortigate side? We need to make sure it matches.

Andy

I have asked the Fortinet side to send, I don't have access there myself 

Though also checking these out from one of the older posts you helped with making sure they are on false 

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

What I get from the Fortinet side when asked for the Tunnel Management

Please ask them for what I attached, that what we need. Its from my lab, I had Fortisase tunnel, but since Fortinet does not allow it to be in sslvpn mode any more (they even force people to sign an agreement stating they are okay with it, due to security reasons), but they had to wipe my lab to convert it to ipsec mode, so thats why tunnel is down, but you get an idea.

Andy

Hi Andy,

Please see the Phase 2 selectors from Fortinets side 

Something does not make sense here, at least to me. So if its universal tunnel, why even bother using 192.168.x.x and 10.11.x.x subnets? Just have them leave 0.0.0.0 and you can use empty group as enc domain on CP side. Thats how I set many tunnels in the lab and never had an issue.

Andy

You and me both, I've been trying to figure this out as to why it hasn't been working, but will speak to them about just using 0.0.0.0 as that might fix it

The below is the only part that I am struggling with fixing

Child SA exchange: Sending notification to peer: Traffic selectors unacceptable MyTSi: MyTSr: <41.0.234.241> <41.21.161.201> <41.21.231.202 - 41.21.231.203> <192.168.68.0 - 192.168.68.255> <224.0.0.0> <224.0.0.0 - 224.0.0.255> Peer TSi: Peer TSr: <192.168.200.0 - 192.168.200.15>

Here is what I would do. Just have them leave 0.0.0.0 on FGT end, change CP as per what I attached, BUT, ONLY for this tunnel, leave others as is.

Andy

I have done the CP changes and have asked the fortigate side to leave 0.0.0.0 only and will see tomorrow and give feedback

Let us know. Happy to do remote if available, just need to be outside EST business hours.

Andy

Hi, the tunnel is now authenticated from the changes you suggested on both CP and Fortigates side, now Fortigate just needs to allow the traffic through the firewall haha

There you go...I had done this probably, um, I dont know, 100+ times, so its all in my head, somehow lol

Glad we can help. let us know once it works fully.

Andy